1. Field of Invention
This invention relates to the field of cross enterprise communication. In particular, the invention relates to cross enterprise communication using digital certificates.
2. Background of the Invention
When sending encrypted data using the public-key cryptography standard (PKCS) software, the recipients' Distinguished Names (DN) are specified. When receiving encrypted information, the sender's DN can be checked to make sure it is in the expected list of senders. The lists of recipients and senders in an enterprise are maintained and these lists may be lengthy and require constant updating as people join or leave an enterprise.
An example is considered of an enterprise E1 which has a department of three people (E1S1, E1S2, E1S3) who send encrypted messages to another enterprise E2. Within enterprise E2 there are three people (E2R1, E2R2, E2R3) who are authorized to receive and decrypt the messages.
A message from a sender (E1S1, E1S2, or E1S3) of E1 would be encrypted using the public key for the intended recipients E2R1, E2R2, E2R3 at enterprise E2, and signed with the private key of the sender (E1S1, E1S2, or E1S3). This is then sent to enterprise E2.
Any of the three people E2R1, E2R2, E2R3 at enterprise E2 can decrypt the message because the encrypted key has been encrypted for them. Other users cannot decrypt the message without access to the private keys of the three users.
At enterprise E2, there is a list of authorized senders, which in this case is E1P1, E2P2, E2P3, and there might be E3S1, E4S1, etc. as well from other enterprises, from which the signature of the received message is checked.
If someone joins an enterprise and is authorized to send encrypted data, it is necessary to inform all of the potential recipients in that enterprise and other enterprises that there is a new name to be added to the list of authorized senders.
Similarly, if someone joins an enterprise and is allowed to receive encrypted data, then the recipient's name needs to be added to the authorized recipients list in each enterprise who sends encrypted messages.
If someone leaves, the name of the person who has left needs to be removed from the authorized sender and recipient lists in all enterprises.
This work to maintain lists is complex and error prone. For example, one enterprise may be slow in updating definitions, and so errors arise in sending data because people are not authorized.
Therefore, there is a need in the art to address the aforementioned problem.